New manufacturer — theories and predictions

ZoraIsHere

I think it'll be Mercedes, so you can only phone in your car

Molasses

No worries, high-end Snapdragon SoCs have their own secure element (Qualcomm SPU) integrated.

No, Trusted Execution Environments such as TrustZone and SGX are not secure elements. Apple SEP, Titan M2 and Qualcomm SPU are secure elements. That doesn't mean they all provide the same functionality or are on the same level for the comparable functionality that's provided.

https://nitter.net/GrapheneOS/status/1970615567821480369#m

Snapdragon can likely avoid needing to provide a separate secure element and dealing with trying to find the best one because of their integrated SPU. We have a lot more confidence in Qualcomm security than other options but their licensing, secretive approach and NIH is painful

https://nitter.net/GrapheneOS/status/1861962842154426657#m

Apple SEP is similar to Qualcomm SPU. It's a separate secure processor on the same SoC.

TEEs are not really in the same space at all because the regular CPU cores are not at all hardened against tampering and they have a ton of attack surface including endless side channels.

https://nitter.net/GrapheneOS/status/1815809906357805567#m

Qualcomm Snapdragon has their TrustZone-based QSEE as the TEE and the flagships also have their Secure Processing Unit (SPU) on as a separate processor as part of the same SoC.

In addition to a lot of extra attack surface, a TEE lacks similar protection against physical attacks

https://nitter.net/GrapheneOS/status/1815808829956796601#m

grayway2

Molasses Qualcomm SPU never prevented any android device to resist a bruteforce attack in BFU and I highly doubt it will next year.

de0u

Watermelon The secure element is by its definition a dedicated chip. That's what makes it more secure than the TEE that's integrated into the CPU.

I don't think that position is consistent with the GrapheneOS project's position as recently quoted in this thread (Molasses).

Pixels have both a TEE and a secure element, which is more secure than the TEE. Qualcomm has both a TEE and a secure element, which is more secure than the TEE.

Historically, Pixel secure elements have been off-chip and arguably more secure than Qualcomm on-chip secure elements (though honestly I am not personally aware of a long string of reported exploits of Qualcomm secure elements).

I think it may be premature to decide that the on-chip secure element for a not-yet-released device for which the GrapheneOS team does not have technical documentation is not secure enough.

Watermelon

de0u I don't think that position is consistent with the GrapheneOS project's position as recently quoted in this thread (Molasses).

What I said is correct. Some of their quotes seem to be aligned with what I said. See:

Molasses Trusted Execution Environments such as TrustZone and SGX are not secure elements. Apple SEP, Titan M2 and Qualcomm SPU are secure elements.

Molasses Apple SEP is similar to Qualcomm SPU. It's a separate secure processor

Molasses TEEs are not really in the same space at all because the regular CPU cores are (…)

(This quote implies that TEEs use the same CPU cores. The secure element has its own internal processor separate from the main CPU.)

Molasses Qualcomm Snapdragon has their TrustZone-based QSEE as the TEE and the flagships also have their Secure Processing Unit (SPU) on as a separate processor

de0u I think it may be premature to decide that the on-chip secure element for a not-yet-released device for which the GrapheneOS team does not have technical documentation is not secure enough.

I didn't say this.

Fortunately, even if it was true, I think the upsides of having another smartphone brand, non-Google, meeting GrapheneOS's requirements greatly outweigh the downsides. GrapheneOS has proper encryption, so a long password can properly remove the dependency on the secure element for brute force protection. It has exploit mitigations, USB-C port blocking, auto-reboot, zero-on-free, and reset attack mitigation which help protect data from theft while decrypted, and bring it to encrypted at rest state quickly. Most people probably wouldn't have to be bothered by someone hacking their phone with a secure element exploit, but if anyone is looking to mitigate it, it's already possible.

Viewpoint0232

de0u So far, being certified by Google requires shipping all of the Google apps (see "ii. MADA Requirements" here), which are closed-source.

If those were still sandboxed and completely removable like a user-installed app I wouldn't even mind

de0u

Viewpoint0232 If those were still sandboxed and completely removable like a user-installed app I wouldn't even mind

According to the text on the far end of the link, non-removability is part of the contract.

Watermelon

Probably9857 Though I guess that doesn't have to be a dedicated chip...

The secure element is by its definition a dedicated chip. That's what makes it more secure than the TEE that's integrated into the CPU.

Viewpoint0232 If those were still sandboxed and completely removable like a user-installed app I wouldn't even mind

I very appreciate GrapheneOS's stance in not forcing any choices of apps on users. They say it in various pages on the official website. I appreciate how the OS has a philosophy of restricting itself to be an OS rather than trying to take over my life by shoving unnecessary stuff on me. And even if they could be uninstalled, that'd still take more bandwidth and storage space on their servers.

brookie229

grayway2

Hopefully they will consider making an "a" version. I don't need or want a device costing me CAD $1500.

horde

brookie229 Will be priced similar to pixel devices

Probably9857

brookie229

Maybe in the future. Would not expect this initially. My understanding is it will initially be one flagship device.

The price-sensitive will probably need to stick with Pixel "a" devices for a while.

brookie229

Probably9857

Yep - either that or I'll pick up a primo device 1-2 years later (refurbished) I guess.

Blastoidea

Probably9857

Source?

Probably9857

Blastoidea Source?

https://grapheneos.social/@GrapheneOS/115940711543098352

And other recent social media posts

Blastoidea

Probably9857

Thank you.

thmf

There will likely be an announcement from the OEM within the next couple months.

https://grapheneos.social/@GrapheneOS/115987006592879172

subwoofer

What occurs to me about this announcement is how this affects the relationships each party has with Google. Surely Google won't continue to provide the security patches ahead of schedule? Or maybe there will be worse repercussions?
This makes me think it must be a manufacturer willing to break away completely from Google.
So maybe a niche supplier like sony, willing to go all in with GOS providing a premium device with best in class security.
Another possibility I've been thinking about, which I haven't seen mentioned, is Huawei. They have already broken away from Google. Imagine Huawei having a more secure version of android than Google. That could be huge.

andrej567

subwoofer i thought of huawei too but it looked a bit weird to me and I slapped my face almost as this company is labeled as the prolonged hand of communist party of china.
my other thought was, if huawei would provide full source code of everything-everything it might be an option.
but somebody would have to read it.

also there is the general question how stable the partnership would be.
it has to last years to pay off the effort put into it. if a company ceo changes and he is able to make 180 degree turn, then it is not good of course

de0u

subwoofer What occurs to me about this announcement is how this affects the relationships each party has with Google.

Which parties? At present Google does not have a relationship with GrapheneOS.

subwoofer Surely Google won't continue to provide the security patches ahead of schedule?

Google has been providing patches in advance to OEMs who agree that the changed code will be publicly released only in object form, not in source form. So far it is not clear that anybody is releasing them in source form.

subwoofer Or maybe there will be worse repercussions?

Repercussions for what, exactly?

subwoofer

andrej567 I'm thinking maybe they can make harmonyos an optional front end to GOS, it was itself created from a fork of asop and the new partner is apparently committing major resources to the project so maybe not quite so fanciful as it sounds
Huawei also make their own chips so someway down the line we could see a Huawei chip built to GOS spec.
Good point about the future proofing, I guess GOS have to be trusted with this. Maybe they will skiff us 😂

subwoofer

de0u Which parties? At present Google does not have a relationship with GrapheneOS

They rely on stuff produced by Google

subwoofer

de0u Google has been providing patches in advance to OEMs who agree that the changed code will be publicly released only in object form, not in source form. So far it is not clear that anybody is releasing them in source form.

I am assuming they aren't supposed to release them ahead of schedule.

de0u

Watermelon This quote implies that TEEs use the same CPU cores.

That is as I understand it.

Watermelon The secure element has its own internal processor separate from the main CPU.

That, too, is as I understand it.

What I was reacting to is this:

Watermelon The secure element is by its definition a dedicated chip.

That appears to be in opposition to material provided by the GrapheneOS project account, so I don't think it can be true "by definition".

Watermelon That's what makes it more secure than the TEE that's integrated into the CPU.

Intuitively that makes sense, but experimental data matter also. Is there a list of known exploits of Qualcomm's on-chip secure element?

wizoatk

subwoofer I am assuming they aren't supposed to release them ahead of schedule.

To be clear: they/we are allowed to distribute binaries derived from the source ahead of schedule, but not the source code itself.

« Previous Page Next Page »